I came across a unique client requirement to deploy an interactive mode application. In this post, you shall see how to use ServiceUI with Intune to Bring the SYSTEM Process to Interactive Mode while deploying an application.
Let’s learn how to make Intunewin32 application deployment with a message popup. Well, not with user access but with System access. I wrote several posts on Intune win32-based app deployment (Part 1 and Part 2).
Introduction
Every program on your computer needs a process. Each process belongs to a Session. In the windows operating system, the system process executes in session 0 and the user process in sessions 1 and above.
It is a security control that prevents user process interference with the system process by design. This post will discuss how to bring the system process to interactive mode during intune deployment.
- Session 0 hosts the System process which includes Intune app install process
- Session 1 hosts User logon and user-initiated process
We can see the process and session details from the task manager. By default, Windows will not show you the Session ID. You can see it by clicking on the View menu item -> “Select Columns…” Turn on the option “Session ID.”
Scenarios – Use ServiceUI with Intune to Bring SYSTEM Process to Interactive Mode
By default, Intune uses system context to install an application in session 0. A user in session 1 will not view any dialog box or message box from intune. There will be some scenarios that need end-user interaction with the Intune process.
Below are some of them.
Scenario 1: Some apps cannot be packaged because of how the software is developed. Or user needs to interact with apps during installation to input the license key. So how this type of app can deploy from Intune.
Scenario 2: If IT wants to give a pop-up message to the end-user before app installation. For example: Provide notification to end-user to close IE.
The solution for both above scenarios is to bring the system from session 0 to session 1. There is 2 approach to achieving this.
Change the Installation Behavior
By default, the App install behavior is System. As shown below, I changed from “System” to “User.”
This approach launches the installation of the app under the user context instead of the system context. As shown below, you see the install process context details from the Log – IntuneManagementExtension.log
The drawback of this approach is user permission. The user interacting with the installation may need elevated rights based on the apps.
Use the ServiceUI with Intune
ServiceUI is an executable that comes with the Microsoft deployment toolkit. ServiceUI can detect the user session and allow user interaction. You can download MDT from here and install it. Once MDT is installed, you can find the exe in the below path. The syntax is shown below.
Let’s discuss how to use the serviceui along with intune
Step 1: Copy the serviceui64.exe to your package source file folder, as shown below. Then Convert the install source folder to intunewin format for Intune deployment. For more details on Intune win deployment, refer here.
Step 2: Upload the intunewin file to intune. For more details, refer here.
Step 3: Configure the command line as shown below. In install, the command makes sure you Call ServiceUI using the end-user’s process.
I used “explorer.exe” in the example below because it exists in every user session. This enables ServiceUI to detect the end-user’s session and allow it to interact with it.
ServiceUIx64.exe -process:explorer.exe Install.bat
Result Scenario 1 – Use ServiceUI with Intune to Bring SYSTEM Process to Interactive Mode
Users will get an installation wizard to interact, as shown below.
NOTE: installation wizard launched in system context even though the user can interact.
Result Scenario 2 – Use ServiceUI with Intune to Bring SYSTEM Process to Interactive Mode
If you are required to send a popup message, you can write a script and deploy it as intune win32 apps.
Resources
- Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App
- Intune Win32 App Failure Log Collection Backend Secrets
- Intune Application Model Deployment Guide
Author
Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.
Vimal, your article is amazing. Thank you. I just have a question on the install command for different files like .vbs when you run it as a system?
Thanks
Nice tips !
I was looking for something like this for a powershell script launched via Intune.
Many thanks 😉
Safe to assume that the installation will fail if no user session exists? And then retry and eventually succeed after a user has logged on?
Slightly confused. You talk about getting the file SERVICEUI.EXE from the MDT folder but then start referring to SERVICEUI64.exe and a screen shot mentioning SERVICEUIX64.exe.
Can you clear this up for me please?
Oh god, that’s excactly what I needed! Damn Adobe Creative Cloud xD, won’t Install properly so I switched to PSAppDeploymentTool, but it wouldn’t show the close apps windows. Now it does, again BIG THANKS!!!!!!
Thanks, this helps a lot.
I have requested this in MS intune feedback site, I want this feature available intune, because SCCM can handle this.
https://feedbackportal.microsoft.com/feedback/idea/bc1837a6-29c6-ed11-a81b-002248519701
When I try to deploy the application using ServiceUI.exe, the command prompt is also elevated as I am using Install.bat. What should be done to just elevate the prompt that I am giving via .vbs file which I am calling under Install.bat and not the command prompt along with it.
Is there a way to force the program to appear in the foreground?
If launched from the Intune Company Portal the installer gets hidden behind it.